Vidar

14
Global rank
6
Month rank
5
Week rank
69779
IOCs

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018.

Trojan
Type
ex-USSR
Origin
1 December, 2018
First seen
4 June, 2023
Last seen

How to analyze Vidar with ANY.RUN

Trojan
Type
ex-USSR
Origin
1 December, 2018
First seen
4 June, 2023
Last seen

IOCs

IP addresses
23.202.231.167
208.95.112.1
148.251.234.83
141.8.192.151
148.251.234.93
204.11.56.48
3.18.7.81
34.205.242.146
195.201.47.75
212.32.237.90
116.203.240.51
143.204.215.24
172.105.162.84
91.235.116.232
52.60.87.163
198.54.126.118
162.241.217.111
185.27.134.215
185.107.56.195
204.16.169.54
Hashes
c1d17b976cc7c8fd91f8da9bc08a2139697aa185e101d63b0b1f5e2ed6429698
dd15f493fc13d00bb1abc0ac20bb0f7dc44632e71b4fcde1c2889fc34dff6c14
e661e53f429cd22e30ca6fb368f3e011e76264892f4e718c75cb3636f4f2e611
c37e19ba7ca31d3984004ec6534551197c1e4ab710bf26f822924168f17cbe7e
a831a3ead1f64d951fadcd5a15cf14e86f9b6b4d418f5fdb6e28acbe7d90264a
8d3e88af492ec98160a63fe5694d10d918853b9648852754cb6f1c4693141d5b
cb22b33411f4ae8a6af069f25e750b18194b158e4170a6a676ae36de4f90830b
345a62badd4ef5ee36bedeca71b720b695828fa2faf203253172bf2f3f591e9c
c0b44050a931dd26f0c071a63f7c9f5adbffb1816281bc9cda09caef8c090bb9
a59ecf6ddd571f60cd71d50c44e6002da374c22de3ff910cafd40bc49659e50f
a15fc0fb2bc9fa8f1eeb00d836bce833f2f4260261fe0f1bdb1009ca678de08a
c21a16a47fb22800137a12d2cdbebd82229e34f9ee0f1024aa06dff630d96e78
eec693b1859baf23d3fba5ceb3fe43825803114ff524606ae4ad57c4ce4990b4
51a66f189ce6758d4d3b5dd1c0483628dde5927d6f20e18989490d9c44c9be7f
027bcfc4c5b4a06371e94f4a6b5f69cbee5bcad651d91115132844a2c10885a1
9fa94a3f17c838980aaeeb6bcd747ec663cb44c198b7c69f52dd23f39d282c87
db63bcace9a0c31bb174200f93661ff44664634a56b4c05145bbf382d33451f8
5563a0d122ecf4cd83770598ee3b087b8a78919a2c6722e8cfea1c33ee228dbe
5123046d9d150510fa36b17e2152b95cee34d8b1323f74a77990b7b37b485fef
7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f
Domains
eltem.iptime.org
elx01.knas.systems
postnigeria.com
ms-78.flymylife.info
ms-91.flymylife.info
ms-32.flymylife.info
ms-97.flymylife.info
johnssmith.icu
spain-btc.bauchemtaloheartval.tk
secure-my-ato.com
benk-dib.com
www.geekappointment.org
dennis-campbell.com
sharejoy.lt
look.dino-chrome.com
dino-chrome.com
www.mississippiautoarms.com
akhi.hotel-an-der-a9.de
clipsofleaks.com
clipsofleaks.com
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 308
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5384
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3237
comments 3

What is Vidar malware?

Vidar is an information stealer trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected systems, take screenshots, steal cryptocurrency, and more.

General description of Vidar malware

Vidar is presumed to have originated in a Russian-speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another cyber threat that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

According to the Vidar trojan analysis, malware is written in the C++ programming language. Purchasing account grants the attacker access to a control panel where the cybercriminal can set up the malware to target particular information on the victims’ PC. Like Arkei, cybercriminals need to take precautions to secure the main payload themselves, using crypto or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that Vidar data stealer uses domain names to search for C&C servers, where stolen data is being dropped, changing every four days. Though they are steadily changing, a constant response is required.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information, including banking and credit card details. Based on the Vidar analysis, the malware can search for cryptocurrency wallet information, take screenshots and act as a message stealer, recording private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar and perform Vidar analysis by themselves.

arkei execution process tree

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

According to the Vidar analysis, after the user downloads and runs a malicious file, it spawns a child process and collects information from the infected system. Often, after the information was collected, the malware kills and deletes itself from the system through a command-line command.

How to avoid infection by Vidar malware?

When spread via spam email campaigns like NanoCore or Agent Tesla, the Vidar stealer requires the user to download and run a malicious file to enter an active state and begin execution. Therefore, following some basic cybersecurity rules can ensure that users will stay safe from Vidar malware and the incident response team will work effectively.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar trojan, which uses these attack vectors to infect victims.

The distribution process of Vidar

According to the Vidar trojan analysis, Vidar is distributed through spam email campaigns as a malicious attachment, like other malware. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar infostealer targets users all over the world, except some ex-USSR countries, including Russia.

How to detect Vidar using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Vidar trojan using ANY.RUN's "Static Discovering" during your Vidar analysis. Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is click on the file.

arkei vidar log file Figure 3: Vidar's log file

Conclusion

Vidar is a hazardous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including stealing select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures and incident response.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy